Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win10v2004-20240426-en
General
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2752 powershell.exe 2524 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 1640 set thread context of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exeRegSvcs.exepowershell.exepowershell.exepid process 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1640 FW CMA SHZ Freight invoice CHN1080769.exe 1676 RegSvcs.exe 1676 RegSvcs.exe 2752 powershell.exe 2524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1640 FW CMA SHZ Freight invoice CHN1080769.exe Token: SeDebugPrivilege 1676 RegSvcs.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 1640 wrote to memory of 2752 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2752 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2752 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2752 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2524 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2524 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2524 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2524 1640 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 1640 wrote to memory of 2588 1640 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 1640 wrote to memory of 2588 1640 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 1640 wrote to memory of 2588 1640 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 1640 wrote to memory of 2588 1640 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 1640 wrote to memory of 1676 1640 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HDTjheWPb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HDTjheWPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp213.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp213.tmpFilesize
1KB
MD52fe09381557a5024960661ba90558621
SHA115a7583268d10cd5fda892f3220739b593b027f3
SHA25626bb5e687569fbfce59b9b798422e51337ed0f6243bea9e818e714710199fd90
SHA5124bab0ecbeab11c17dc841a76f6eaae8a363140c355bf74175cc01150b91e5f0acc0bcb448f2104bdd80c7adfb828197474966aff9e8bc57368c55236f91c7829
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0JTLJ5C67AVXI2K99PIQ.tempFilesize
7KB
MD5cb4ec0c1dba75eaf64e55523a30d0f9e
SHA1594b1d36a78e6928419f7d9ed9dce52f6d220820
SHA256dd64bfade1641504ccb0853f922fd37a8d1748cf8d622fd3eab31ea597a06a2b
SHA512cf77533ad58ea1929be7b98c0aba4fec21940278042e7945d0d5557e52e90a78710ea5765751a56ca4cfdbe6109b885cb400d582228ce946dfa2868c7898d99d
-
memory/1640-4-0x0000000000B30000-0x0000000000B4A000-memory.dmpFilesize
104KB
-
memory/1640-3-0x0000000004310000-0x00000000043B2000-memory.dmpFilesize
648KB
-
memory/1640-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmpFilesize
4KB
-
memory/1640-5-0x00000000004C0000-0x00000000004D0000-memory.dmpFilesize
64KB
-
memory/1640-6-0x00000000052E0000-0x0000000005364000-memory.dmpFilesize
528KB
-
memory/1640-7-0x0000000073EEE000-0x0000000073EEF000-memory.dmpFilesize
4KB
-
memory/1640-2-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1640-1-0x0000000000DD0000-0x0000000000E7E000-memory.dmpFilesize
696KB
-
memory/1640-33-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/1676-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1676-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-32-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1676-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB